Winning outsourcing strategies How to increase value and reduce risk

How to increase value and reduce risk

Outsourcing is a strategy increasingly being used by organisations to reduce costs and increase value. Outsourcing, however, has its risks. As organisations look to push out more of their custom software application development needs to outsourcing partners, careful planning is required in terms of building stringent software security requirements into contracts and creating a process and metrics to ensure that those requirements are met. This report examines outsourcing practices from 200 of the largest organisations in the UK and the US and provides pointers as to how the most experienced outsourcers are putting in place effective processes to drive the risk out of outsourcing.

Inexperience and a lack of process leads to ineffective outsourcing Industries with the least history of outsourcing experience the most difficulties in successful project completion, while those industries with a long track record exhibit the most satisfaction and success from their outsourcing programmes. While the majority of projects undertaken in the more experienced retail and public sector industries result in success (77.5% and 65% respectively), those undertaken by transport and financial sector companies, where outsourcing is less common, exhibit daunting levels of failure. For example, in these industries, around 50% of projects have been called off completely and 30% of projects undertaken by finance firms have led to legal action being taken.

The importance of getting the contract right cannot be stressed enough Those organisations with the most experience stipulate the most stringent functional and security requirements in the outsourcing contract, giving them greater control, helping to reduce the risks of sub-par applications being delivered, and greatly reducing the likelihood of the need for legal action. For example, the most experienced outsourcers (those outsourcing more than three-quarters of their development needs) are three times more likely to stipulate software security audit requirements in contracts than those outsourcing in a more ad hoc fashion.

Building in requirements for the use of appropriate security tools and requiring extensive testing against agreed standard methodologies further reduces risk Auditing delivered source code against stated security requirements prior to acceptance through the use of automated code analysis is a recommended best practice for firms that outsource their application development. Among leaders in the retail and public sectors, 62.5% check code with automated code scanners, compared to just 32.5% of finance firms, which outsource the least of all. Such scanners reduce the risk of vulnerabilities considerably. Further, just 40% of finance firms test their applications for the most common vulnerability-cross-site scripting-compared to 82.5% of retailers. This could leave financial organisations' applications at serious risk of attack.

Using external providers for application delivery is also outsourcing Security is also important to reduce risk in these fast-emerging delivery models. However, just 47.5% of finance firms mandate that there are controls over who handles their data, compared to 70% in the public sector and 72.5% of retailers, and only 37.5% of finance firms demand any certification of their service providers, compared to 82.5% in public sector and retail organisations.

Conclusion As demonstrated in this report, successful outsourcing of the creation of critical custom software requires an approach taking into account appropriate levels of rigour. Organisations with lower levels of experience in defining security and process controls should adopt those best practices currently in use by those with more familiarity and success. They can then use these as repeatable practices for ensuring the success of future projects.

Download Paper (Registered Members Only)

By downloading you agree to our Terms and Conditions. These include information regarding use of your personal data.